Search code examples
kernellibpcaptcpdumpbpf

Are Berkeley Packet Filter opcode values implementation defined?


Are Berkeley Packet Filter opcode values implementation defined?

I always thought of tcpdump/libpcap as authoritative in the BPF arena. I noticed that the linux kernel and tcpdump read BPF filters differently. The BPF mnemonics and behavior is the same, but the actual opcode values themselves seem different. I went looking on the internets for "The Standard", but everything I've found only has mnemonics.


Solution

  • No, other than instructions that some BPF interpreters/JITs support but others don't, they have the same binary values. Compare, for example, the current libpcap pcap/bpf.h with, at least, the Linux linux/bpf_common.h and linux/filter.h in the 3.19 kernel, and note the comment in linux/filter.h that reads:

    /*
     *      Try and keep these values and structures similar to BSD, especially
     *      the BPF code definitions which need to match so you can share filters
     */
    

    and the code in libpcap that uses the same compiler to generate BPF code for the Linux kernel, the *BSD/OS X/Solaris 11/etc. kernels, and the userland BPF interpreter, with only small code changes to deal with fetching packet metadata (rather than packet data).